Cyber Resilience

CVE-2026-30223

HighPublic PoC

Published: 06 March 2026

Published
06 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0030 21.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30223 is a high-severity Improper Authentication (CWE-287) vulnerability in Olivetin Olivetin. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-30223 is a high-severity authentication vulnerability (CVSS 3.1 score of 8.8) affecting OliveTin, an open-source web interface that provides access to predefined shell commands. In versions prior to 3000.11.1, when JWT authentication is configured using either a local RSA public key via "authJwtPubKeyPath" or an HMAC secret via "authJwtHmacSecret", the configured audience value ("authJwtAud") is not enforced during token parsing. This flaw, linked to CWE-287 (Improper Authentication) and CWE-345 (Insufficient Verification of Data Authenticity), allows validly signed JWT tokens with an incorrect audience claim to be accepted, enabling cross-service token misuse.

An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), potentially achieving high confidentiality, integrity, and availability impacts (C:I:A:H). Specifically, if an attacker obtains a JWT token signed with the same key or secret but intended for a different audience or service, they can authenticate to OliveTin and execute its predefined shell commands, leading to arbitrary command execution on the host system.

The issue has been addressed in OliveTin version 3000.11.1, as detailed in the project's security advisory (GHSA-g962-2j28-3cg9), release notes, and the patching commit. Security practitioners should upgrade to 3000.11.1 or later to enforce audience validation during JWT parsing and mitigate the risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, when JWT authentication is configured using either "authJwtPubKeyPath" (local RSA public key) or "authJwtHmacSecret" (HMAC secret), the configured audience value (authJwtAud) is not enforced during…

more

token parsing. As a result, validly signed JWT tokens with an incorrect aud claim are accepted for authentication. This allows authentication using tokens intended for a different audience/service. This issue has been patched in version 3000.11.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The auth bypass (missing JWT audience enforcement) directly enables remote exploitation of the public-facing OliveTin web app (T1190) to run arbitrary predefined shell commands on the host (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27626Same product: Olivetin Olivetin
CVE-2026-31817Same product: Olivetin Olivetin
CVE-2026-28789Same product: Olivetin Olivetin
CVE-2026-28790Same product: Olivetin Olivetin
CVE-2026-28342Same product: Olivetin Olivetin
CVE-2026-2248Shared CWE-287
CVE-2026-30851Shared CWE-287, CWE-345
CVE-2025-34186Shared CWE-287
CVE-2025-52376Shared CWE-287
CVE-2025-1044Shared CWE-287

Affected Assets

olivetin
olivetin
≤ 3000.11.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-2 requires robust identification and authentication mechanisms for organizational users that fully validate JWT tokens including the audience claim to prevent acceptance of cross-service tokens.

prevent

IA-5 ensures authenticators like JWTs are managed with sufficient strength of mechanism, including proper verification of claims such as audience during token parsing.

prevent

AC-3 enforces approved access authorizations only after validated authentication, mitigating unauthorized access to shell commands via flawed JWT audience enforcement.

References